October, 2016:

An out-of-band security release for Adobe Flash player security has just been released and Microsoft also has quickly updated where needed as well

Adobe today released a critical update for Flash Player. The update was released outside of Adobe’s regular patch cycle.  The singled vulnerability fixed by this update, CVE-2016-7855, has already been exploited in targeted attacks against Windows.  Windows, Linux and Mac versions are affected, including versions embedded in Chrome and Edge/Internet Explorer 11. Please expedite this update, and review that Flash does not start automatically in your browser but only if enabled by the user for a specific site. Consider removing Flash whenever possible.

https://helpx.adobe.com/security/products/flash-player/apsb16-36.html

https://isc.sans.edu/forums/diary/Critical+Flash+Player+Update+APSB1636/21643/

Microsoft Security Bulletin MS16-128 – Critical:
https://technet.microsoft.com/en-us/library/security/ms16-128.aspx?f=255&MSPPError=-2147217396

John Maxwell shares an excellent article on the five levels of Leadership Development

http://www.johnmaxwell.com/blog/5-levels-of-leadership

Level 1 — Position — The lowest level of leadership—the entry level, if you will—is Position. It’s the only level that requires no ability or effort to achieve. At Level 1, people only follow if they believe that they have to.

Level 2 — Permission — Level 2 is based on relationship. At this level, people choose to follow because they want to. When you like people and treat them as individuals who have value, you begin to develop positive influence with them. Trust grows, which usually leads to respect.

Level 3 — Production — The best leaders know how to motivate their people to get things done! On this level, leaders who produce results build their influence and credibility.

Level 4 — People Development — Level 4 can be summed up in one word: reproduction. Your goal at this level is to identify and develop as many leaders as you can by investing in them and helping them grow.  The reason is simple: When there are more leaders, more of the organization’s mission can be accomplished.

Level 5 — Pinnacle — The highest level of leadership is also the most challenging to attain. It requires longevity as well as intentionality. You simply can’t reach Level 5 unless you are willing to invest your life into the lives of others for the long haul. But if you stick with it, if you continually focus on both growing yourself at every level, and developing leaders who are willing and able to develop other leaders, you may find yourself at the Pinnacle.

Microsoft announced highly innovative new graphical devices & 3-D software capabilities that will be forthcoming during 2017:

http://www.theverge.com/2016/10/26/13418262/microsoft-event-announcements-vr-headset-creators-update-surface-studio

http://www.pcmag.com/news/349059/windows-10-creators-update-arrives-this-spring-with-3d-vr

Microsoft wants artists and content creators to want its products. The company unveiled multiple creative-minded products at its keynote today, including a major Windows 10 upgrade called the “Creators Update” and a gorgeous PC called the Surface Studio. It has 80 custom parts in its arm alone! Most of today’s announcements were about advancing into the future, but Microsoft also stayed true to its roots with an update to Paint. We have all the highlights below.

1. Windows 10 Creators Update
2. 3D Paint
3. Windows VR headsets
4. Xbox live streaming
5. Windows People mode (new key contact approach)
6. Surface Studio (touchscreen all-in-one desktop computer – hi-res 28″ touch screen display)
7. Surface Dial (new input device for Surface)
8. Surface Book i7 (high-end version with Intel i7 microprocessor)

A brand new way for hackers shutdown INTERNET emerged earlier in the week when a DYN a key internet hosting company suffered a massive DDoS attack.  They recovered quickly, as a new approach of manipulating a new evolving technology called IOT (Internet of things) was discovered

http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/

I also don’t want to get too far into this post without:

1.Acknowledging the tremendous efforts of Dyn’s operations and support teams in doing battle with what’s likely to be seen as an historic attack.

2.Acknowledging the tremendous support of Dyn’s customers, many of whom reached out to support our mitigation efforts even as they were impacted. Service to our customers is always our number one priority, and we appreciate their understanding as that commitment means Dyn is often the first responder of the internet.

3.Thanking our partners in the technology community, from the operations teams of the world’s top internet companies, to law enforcement and the standards community, to our competition and vendors, we’re humbled and grateful for the outpouring of support.

Attack Timeline — Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. Unfortunately, during that time, internet users directed to Dyn servers on the East Coast of the US were unable to reach some of our customers’ sites, including some of the marquee brands of the internet. We should note that Dyn did not experience a system-wide outage at any time – for example, users accessing these sites on the West Coast would have been successful.

What we know — At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.

To achieve long-range objectives over time, there must be a pattern of consistency or the day-to-day distractions will impact the overall success of the team.

http://www.johnmaxwell.com/blog/consistency-a-wise-investment-of-time

We live in a culture that rewards image – often over integrity. We promote people who appear to have their act together, and encourage others to do the same. Never mind any warning signs about their character. As long as they look good while they produce, our culture is satisfied.   Why do we reward image over integrity?  The answer is simple: Image is easy. Integrity is hard.

Am I Being True to Myself? — Living with integrity begins within. The only person in the world you can’t hide from is you. To be a genuine person, you have to be able to live with yourself and the decisions you make. If your actions would cause you shame or embarrassment if they were ever found out, then you’re not being true to yourself and your values.

Am I Being True to My Mentor? — Mentors are the people who have chosen to invest in you. They believe in you and your potential, and have shared their time and wisdom to help you maximize it. If your actions would disappoint them, then you’re not putting enough value on your mentor’s investment.

Am I Being True to My People? — You are surrounded by people who are affected by your actions. Be they family, friends, colleagues, or neighbors, your choices impact them on a daily basis. If you are not living a genuine life with them, it will ultimately damage the relationships that you need to thrive.

It’s easy to believe that integrity doesn’t really pay off. In fact, that seems to be the message our culture thrives on! Why do things the hard way when you can just “fake it ‘til you make it” – especially when so many people seem to succeed overnight through shortcuts and shams? It’s tempting to believe that you can or should do the same. After all, everyone wants to get to the top, so why not take the fastest route?

Microsoft’s new “Patch Tuesday” model improves installation process, but if issues surface with the updated system or devices the capability to fine tune and eliminate a small subset of the total release is no longer present.

http://www.darkreading.com/endpoint/microsofts-new-patch-tuesday-model-comes-with-benefits-and-risks/d/d-id/1327251

Microsoft as of this month officially transitioned its Patch Tuesday model to a cumulative patching process for Windows 7 and Windows 8.1 that security experts say is a more flexible and streamlined way to update vulnerable systems. But it also comes with some risks.  October 11 marked the first time Microsoft released updates via its new system, which combines security and non-security fixes into large bundles. Three distinct update bundles will roll out each month; two available to enterprise customers, and one for consumers.

One of these, for businesses and consumers, is released via Windows Update, Windows Server Update Services (WSUS), and the Windows Update Catalog. This is a monthly rollup of security and non-security fixes, which contains all updates for the month as well as fixes for the previous months. If a user skips a month, they will receive the patches for that month in the following month’s bundle.  The second bundle contains all security patches for the specific month and excludes fixes from previous months. These security-only rollouts, intended for enterprise users, are distributed through WSUS and Windows Update Catalog.

“What Microsoft is trying to do is make things simpler for users by delivering all updates together,” explains Amol Sarwate, director of vulnerability labs at Qualys. “When administrators install patches, they can just deploy one patch.” This model also makes it easier to learn which fixes are included and which aren’t, he adds.  Ullrich acknowledges the new model will make patch application easier, but there is also risk related to availability.  “If a particular patch interferes with a particular function of the PC, either a hardware component or customer software, then the entire patch has to be delayed and it will not be advisable to just apply a partial patch,” he explains.

Below are key resources documenting this recent monthly Microsoft Patch Tuesday release:

https://technet.microsoft.com/en-us/library/security/ms16-oct.aspx

https://isc.sans.edu/mspatchdays.html

http://blog.talosintel.com/2016/10/ms-tuesday.html

Patch Tuesday has once again arrived! Microsoft’s monthly release of security bulletins to address vulnerabilities provides fixes for 37 newly disclosed security flaws. Today’s release sees a total of 10 bulletins with five of the bulletins rated critical and address vulnerabilities in Edge, Graphics Component, Internet Explorer, Video Control, and Adobe Flash Player. Four bulletins are rated important and address flaws in Office, Windows Diagnostic Hub, Windows Kernel-Mode Drivers, and Windows Registry. One bulletin is rated moderate and addresses a flaw in Microsoft Internet Messaging API.  The following bulletins are rated critical: MS16-118, MS16-119, MS16-120, MS16-122, MS16-127

Linux vendors are scrambling to patch a nine year old vulnerability that is being used in the “Dirty Cow” exploit

http://www.pcmag.com/news/348973/researcher-discovers-exploit-of-9-year-old-linux-bug

http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-protect-against-dirty-cow-security-flaw

An easy-to-exploit flaw in the Linux operating system has been present for nearly a decade, and security researchers warned last week that hackers are now starting to use it.  Linux developer Phil Oester discovered the so-called Dirty Cow bug, which lets attackers gain read and write access to a Linux system’s memory that would normally be read-only for all but the local user. Oester wrote in an email to Ars Technica that after exploiting it, “any user can become root in 5 seconds in my testing, very reliably.”

To take advangate of the Dirty Cow bug and gain access to the memory, a hacker just needs to upload a file to the system they’re targeting and execute it. That’s hacking 101, and can be accomplished numerous ways—from sending a malicious email to cracking a password.  “As Linus [Torvalds] notes in his commit, this is an ancient bug and impacts kernels going back many years. All Linux users need to take this bug very seriously, and patch their systems ASAP.”

A minor stability release was made for NMAP 7.31, the popular free PENTEST tool to fix minor issues after last month’s major version release

https://nmap.org/download.html

The big Nmap 7.30 release last month was a great success.  We didn’t even see as many bugs as expected for such a large release, but we have collected and fixed the ones which did arise in the last few weeks into a new 7.31 point release.  It includes the latest updates to our new Npcap driver, a fix for Nping on Windows, and more.  Nmap 7.31 source code and binary packages for Linux, Windows, and Mac are available for free download.  Here are the changes we put in since 7.30:

**  [Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing increased stability, bug fixes, and raw 802.11 WiFi capture (unused by Nmap).

**  Fixed the way Nmap handles scanning names that resolve to the same IP. Due to changes in 7.30, the IP was only being scanned once, with bogus results displayed for the other names.

**  [Nping][GH#559] Fix Nping’s ability to use Npcap on Windows.   A privilege check was performed too late, so the Npcap loading code assumed the user had no rights.

**  [GH#350] Fix an assertion failure due to floating point error in equality comparison, which triggered mainly on OpenBSD

**  [Zenmap] Fix a crash in the About page in the Spanish translation due to a missing format specifier

**  [Zenmap][GH#556] Better visual indication that display of hostname is tied to address in the Topology page. You can show numeric addresses with hostnames or without, but you can’t show hostnames without numeric addresses when they are not available.

**  To increase the number of IPv6 fingerprint submissions, a prompt for submission will be shown with some random chance for successful matches of OS classes that are based on only a few submissions.

To achieve long-range objectives over time, there must be a pattern of consistency or the day-to-day distractions will impact the overall success of the team.

http://www.johnmaxwell.com/blog/consistency-a-wise-investment-of-time

Have you ever considered the time investment in some of the world’s greatest achievements?

* It took 26 months to build the Eiffel Tower.
* It took Da Vinci 4 years to paint the Mona Lisa.
* It took Michelangelo 4 years to paint the ceiling of the Sistine Chapel.
* It took Leo Tolstoy over 6 years to write War and Peace.
* It took around 30 years to build the Great Pyramid.

And I get impatient if microwave popcorn takes too long! Joking aside, I love this list because it reminds me of just what can be accomplished when a person invests time wisely. Time is the one commodity each person gets in equal measure. As songwriter Chris Rice once wrote, “Every day is a bank account, and time is our currency. No one’s rich, nobody’s poor – we get 24 hours each.”

Yet so many of us don’t invest time wisely. We spend many of the hours we’re given each day on things that bring us no return. According to the website Digital Trends, Americans now spend an average of 4.7 hours a day looking at social media on their phones. Take a moment and re-read that, because it’s an amazing statistic.

Consistency — All of this can be avoided with the habit of consistency. Consistency in this case means you give a little bit of time to each area every day, and stick with it. It won’t feel like much at first, but it’s the discipline to stick with it that yields not only the tangible results of the investment, but the internal rewards as well. You learn to increase the time you give each area. You become more aware of how you’re wasting time. You get sharper, smarter, and more focused as a result.